Thanks a lot, I'll check these ideas and try to test them in a lab environment.
Bye On Thu, Jun 27, 2013 at 4:09 PM, Aaron Richton <[email protected]>wrote: > On Thu, 27 Jun 2013, Jason Voorhees wrote: > > As you can see, all these have the prefix "pre" before it's real username >> (jvoorhees, mjackson, sjobs, bgates, tcruis, etc...). I also have an >> OpenLDAP server with a users directory tree whose usernames are the same >> but without "pre", I mean they are jvoorhees, mjackson, sjobs, bgates, >> tcruis, etc.... >> [...] >> >> Is this possible to do? Can I make a rule to supress the "pre" prefix >> before authentication against LDAP? If yes, where should I make this >> "rule": in the Linux box (ldap client) or in the LDAP Server? >> > > You might be able to use some slapo-rwm(5) rules to change all > "uid=preXXX,..." into "uid=XXX,..." server-side. To my eye this looks sort > of evil and might violate the principle of least surprise. In particular, > if you're Linux-specific, perhaps you could look into pam_regex which is > designed for this sort of use case. > > Another possibility might be "splitting the difference," running the > slapo-rwm(5) rules inside of a local slapd(8), perhaps accessed via nssov, > and keeping an upstream LDAP server without this mess. > > I'd suggest you build a test environment, try all your options out and see > what sticks... >
